Massive Attacks Targeting Cisco SD-WAN Controllers: Everything You Need to Know About CVE-2026-20182 & Other Vulnerabilities

Learn about the critical CVE-2026-20182 authentication bypass vulnerability in Cisco SD-WAN Controllers and how it is being exploited by hackers

  Cyber Security News   May 15, 2026  Add to Reading List
Massive Attacks Targeting Cisco SD-WAN Controllers: Everything You Need to Know About CVE-2026-20182 & Other Vulnerabilities
Massive Attacks Targeting Cisco SD-WAN Controllers: Everything You Need to Know About CVE-2026-20182 & Other Vulnerabilities

Hello community, this is Mister Red,

Recently, security flaws in Cisco Catalyst SD-WAN controllers have become a major topic of discussion in the cybersecurity world. According to a new report from Talos Intelligence, hackers are actively exploiting these vulnerabilities to launch massive attacks. Here are some technical details that bug hunters and security researchers absolutely need to know. ​

What is CVE-2026-20182? (CVSS Score: 10.0)

This is a critical Authentication Bypass vulnerability. It primarily affects Cisco's vSmart (SD-WAN Controller) and vManage (SD-WAN Manager). It allows hackers to gain admin access to the controller without needing any password or username.

Technical Breakdown:

This is caused by a flaw in the peering authentication of the 'vdaemon' service (which uses UDP port 12346). By sending specially crafted requests, an attacker can log into the system as a high-privileged non-root user (vmanage-admin). Once this access is obtained, they can completely alter the SD-WAN network's configuration via NETCONF interfaces. ​

UAT-8616 and Other Hacker Groups : ​

According to the Talos report, a hacker group known as 'UAT-8616' is the primary actor exploiting this zero-day. It has been found that after entering the system, they attempted to add SSH keys, change NETCONF configurations, and gain root privileges.

​Additionally, other groups are actively launching attacks by chaining older vulnerabilities like CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122. Using a Proof-of-Concept (PoC) released by ZeroZenX Labs, the primary method of these groups involves installing web shells such as 'XenShell', Godzilla, Behinder, and Sliver on the compromised systems, and abusing the servers for crypto mining (using XMRig).

 Mitigation :

 ​Cisco has released security patches for these issues. Therefore, updating systems to the latest version immediately is of utmost importance. CISA (Cybersecurity and Infrastructure Security Agency) has also added this vulnerability to their Known Exploited Vulnerabilities (KEV) catalog. To check if your system has been compromised, you can inspect the auth.log files and look for unauthorized SSH logins on vSmart controllers.

Final Thoughts:

This is a huge lesson for the bug hunting community. It is the latest example of how a small flaw in authentication mechanisms can completely compromise a system. Studying the technical details of this will greatly benefit new bug hunters.

I'll be back soon with more security updates. Stay safe, and happy hunting!

Tags